[PATCH] D81103: [llvm-readelf] - Do not try to read past the end of the file when dumping the the SHT_GNU_HASH.
George Rimar via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Wed Jun 3 08:44:58 PDT 2020
grimar created this revision.
grimar added reviewers: jhenderson, MaskRay.
Herald added subscribers: rupprecht, emaste.
Herald added a reviewer: espindola.
Herald added a project: LLVM.
We have unobvious issue in the condition that is used to check
that we do not read past the EOF.
The problem is that the result of "GnuHashTable->nbuckets * 4" expression is uint32.
Because of that it was still possible to overflow it and pass the check.
There was no such problem with the "GnuHashTable->maskwords * sizeof(typename ELFT::Off)"
condition, because of `sizeof` on the right (which gives 64-bits value on x64),
but I've added an explicit conversion to 64-bit value for `GnuHashTable->maskwords` too.
https://reviews.llvm.org/D81103
Files:
llvm/test/tools/llvm-readobj/ELF/hash-histogram.test
llvm/tools/llvm-readobj/ELFDumper.cpp
Index: llvm/tools/llvm-readobj/ELFDumper.cpp
===================================================================
--- llvm/tools/llvm-readobj/ELFDumper.cpp
+++ llvm/tools/llvm-readobj/ELFDumper.cpp
@@ -2681,8 +2681,8 @@
uint64_t TableOffset = TableData - Obj->base();
if (IsHeaderValid)
*IsHeaderValid = TableOffset + /*Header size:*/ 16 < Obj->getBufSize();
- if (TableOffset + 16 + GnuHashTable->nbuckets * 4 +
- GnuHashTable->maskwords * sizeof(typename ELFT::Off) >=
+ if (TableOffset + 16 + (uint64_t)GnuHashTable->nbuckets * 4 +
+ (uint64_t)GnuHashTable->maskwords * sizeof(typename ELFT::Off) >=
Obj->getBufSize())
return createError("unable to dump the SHT_GNU_HASH "
"section at 0x" +
Index: llvm/test/tools/llvm-readobj/ELF/hash-histogram.test
===================================================================
--- llvm/test/tools/llvm-readobj/ELF/hash-histogram.test
+++ llvm/test/tools/llvm-readobj/ELF/hash-histogram.test
@@ -271,7 +271,7 @@
## Case A: the 'nbuckets' field is set so that the GNU hash table goes past the end of the file.
## The value of 1 for the NBUCKETS is no-op.
-# RUN: yaml2obj --docnum=6 -D MASKWORDS=4294967295 -D NBUCKETS=1 %s -o %t7
+# RUN: yaml2obj --docnum=6 -D MASKWORDS=0x80000000 -D NBUCKETS=1 %s -o %t7
# RUN: llvm-readelf --elf-hash-histogram %t7 2>&1 | \
# RUN: FileCheck %s -DFILE=%t7 --check-prefix=ERR5 --implicit-check-not="Histogram"
@@ -279,7 +279,7 @@
## Case B: the 'maskwords' field is set so that the GNU hash table goes past the end of the file.
## The value of 1 for the MASKWORDS is no-op.
-# RUN: yaml2obj --docnum=6 -D MASKWORDS=1 -D NBUCKETS=4294967295 %s -o %t8
+# RUN: yaml2obj --docnum=6 -D MASKWORDS=1 -D NBUCKETS=0x80000000 %s -o %t8
# RUN: llvm-readelf --elf-hash-histogram %t8 2>&1 | \
# RUN: FileCheck %s -DFILE=%t8 --check-prefix=ERR5 --implicit-check-not="Histogram"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D81103.268213.patch
Type: text/x-patch
Size: 1944 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20200603/f9a36fd7/attachment.bin>
More information about the llvm-commits
mailing list